StorageGuard - by Continuity™ - is the ONLY Security Posture Management solution for Storage & Backups, helping to ensure these systems are securely configured, and compliant with industry & security standards.
Introduction
When data is compromised, the last line of defense is your backup.
In the past year, the tactics being used by cybercriminals have changed. And it puts larger organizations with legacy backup environments at major risk.
The attackers realize that an attack on the backup is the single biggest determining factor to show if the victim will pay the ransom.
And it seems to be working.
The average cost of recovery from a ransomware attack has more than doubled in a year, according to a Sophos survey.
This same report also shows that just 8% of organizations manage to get back all of their data after paying the ransom.
If organizations are unable to recover their data, the impact would be devastating – and not just because of the ransom payment.
The damage could include loss of revenue, significant business disruption, damage to brand reputation, and regulatory fines from compromised consumer data.
The fact that so many victims eventually choose to pay the ransom gives rise to serious concerns about the market’s backup security maturity.
Fueled by the expansive media coverage and dramatic financial repercussions of data-centered crimes, organizations are in a race to identify and close the gap.
“I Have Backups, So What Could Possibly Go Wrong?”
I hear this question a lot, so I’ll get straight to the point and tell you exactly what can go wrong!
“While a lot of CISOs effort is directed towards prevention and detection – not enough attention is paid to securing backup environments. This is a glaring blind-spot. Organizations need to fill this major gap to secure their last line of defense.”
George Eapen
Group CIO
Petrofac
Backup Attack Horror Stories
To a large extent, the ability to recover data after an attack relies on proper data protection techniques.
While these are often collectively perceived as “backup”, in most enterprises, these include: mirrors, snapshots, clones, replicas, DR, backups, and archives.
In the early days, ransomware kits would corrupt only data. They quickly evolved to also destroy operating system restore-points and snapshots. Now they’re starting to target backup systems, and central storage.
The motivation is obvious. If the recovery mechanisms are destroyed, organizations will have no other choice than to pay the ransom or give up hope of recovering their data.
Ransomware evolution aside – many news items indicate that there’s a time gap between initial malware penetration and actual damage.
For an attacked enterprise (especially, financial services organizations, nation states, and organizations with significant restricted Intellectual Property), cybercriminals may choose to let weeks or even months pass, utilizing that time to research, plan, and execute much more elaborate infiltration, including:
SCENARIO
(Inspired by real events)
Ransomware groups want to do everything possible to force a bank to pay a ransom.
They do this by destroying a bank’s data and its backup copies – to prevent recovery of their data.
The cybercriminals compromise a bank employee’s PC, and infect it with malware.
Within a few hours, they infect other employee devices, and eventually find the login details to the bank’s backup systems.
The cybercriminals discover that a large portion of the backups can be deleted. However, some of the backups are stored on immutable media, which cannot be deleted.
They now decide to step it up a notch, to prevent the bank from recovering their data.
With time on their side, they begin poisoning the new backups.
They do this by gradually replacing the backed-up data with junk data.
So far, so good! The backup administrator is not alerted to the changes in the bank’s backup.
The cybercriminals now wait, as the bank gradually backs-up less real data and more junk data.
After a few months, with the immutable backup files now poisoned, the attackers start to delete the rest of the backup files, stored in the regular storage.
They also begin encrypting the production data.
The infrastructure team try to restore the data, only to find that most of the backup has gone. And the only copies left are 90 days old.
All the new records, transactions, and customer information are poisoned!
The bank is left with very little choice, but to pay the ransom.
In this scenario, the cybercriminals were successful, because the bank didn’t have any way to detect configuration changes to their backup, and to secure against unauthorized changes.
Watch the video – to see this scenario come to life
Cybercriminals now routinely attempt to encrypt or delete an organization’s backups as part of any attack.
Success for the adversary is critical here because without backups, the victim must pay handsomely to recover their data.
Resilient backups are simply backups that cannot be destroyed by an adversary — even one who has acquired administrative credentials.
At the simplest level, robust resiliency can be achieved by backup to removable drives, or to tapes which are then removed from the tape library.
While immutability – whether implemented as a single, double, or triple immutable approach – is helpful in remediating cyberthreats, it is only the beginning of a comprehensive protection practice.
Recommendations
It’s time to harden your storage and backup.
Analyzing backups and data protection security posture is a new skill that IT teams must adopt in order to deal with emerging cyber-security threats.
Here are a few questions to help you check how secure your backups are:
I recommend evaluating existing internal security processes to determine if they cover backup infrastructure to a sufficient degree.
My recommended “6 steps for success” include:
It’s time to automate the secure configuration of your storage & backup systems.
Virtual Panel with Check Point, Qualys and Rapid7: Vulnerability Management 2025 Innovations – January 16
Register